[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] File uploading vulnerabilities

From: "James Landis" <jcl24@xxxxxxxxxxx>
Subject: Re: [WEB SECURITY] File uploading vulnerabilities
Date: Wed, 10 Sep 2008 09:55:55 -0700

Mike,
Are you actually running these files once you receive them, or are you
simply storing them for later download by other users? If you are just
storing them, you might consider quickly neutering them to prevent
accidental execution by a misclick of a sysadmin or malicious
execution by someone who has compromised your Web app in some way.
Virus scanning is unreliable and CPU-intensive. Of course, the
download page should suggest to users who are downloading these
executables that they may contain malicious code.

Neutering should include renaming (in such a way that the user can't
predict the new name) and blanking permissions at the very least, and
XORing or compressing the file in some way so the OS doesn't interpret
it as executable if you are extra paranoid and have some spare CPU
cycles.

If you have to actually run them on the server, well...

-j

On Wed, Sep 10, 2008 at 8:22 AM, mike <mike9966@xxxxxxxxxxxxxx> wrote:
> &nbsp;
> Hi,
>
> We have functionality in the web application, where an end user needs to
> upload .exe files on the server. The files are getting stored in a folder on
> the server.
>
> When I searched about the security issues related with file uploading, it is
> suggested that I need to perform virus check before uploading. The
> application is build on ASP with no database.
>
> 1. Can anyone point me to the ways to perform virus scanning on the files
> before uploading? Are thee any plug-in/component/web service available,
> which I can use to perform this action?
>
> 2. If I remove the .exe extension and store file on the server, will that
> reduces any risk associated with virus/Trojans.
>
> 3. Apart from virus check, what all things we need to keep in mind(from
> security) for file uploading issues.
>
>
> Thanks in advance
>
> Regards
> Mike
>
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

References:
- [WEB SECURITY] File uploading vulnerabilities
  - From: mike

Prev by Date: [WEB SECURITY] File uploading vulnerabilities
Next by Date: Re: [WEB SECURITY] File uploading vulnerabilities
Previous by thread: [WEB SECURITY] File uploading vulnerabilities
Next by thread: Re: [WEB SECURITY] File uploading vulnerabilities
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site